Facebook doesn't invalidate the token. Isn't invalidating tokens incompatible with architectures which use self-contained (cryptographic) tokens instead of random strings?! If so, making this a requirement would force the server developers to implement a TRL (token revocation list, similar to a CRL) where every token - even those cryptographically valid - would need to be checked against. While this would be great from a security perspective, it might be impractical.
2010/10/14 Eran Hammer-Lahav <e...@hueniverse.com>: > Hopefully you also invalidate the token (if bearer) since it was send over an > insecure channel. > > EHL > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Breno >> Sent: Wednesday, October 13, 2010 11:31 AM >> To: oauth@ietf.org >> Subject: [OAUTH-WG] Request sent to http: instead of https:` >> >> Suppose server A documents that their endpoint X is at >> https://server.example.com/x; there's no service at the corresponding http >> location for security reasons. >> >> Client developer fatfingers URL as http://server.example.com/x >> >> What is the correct response? I understand that this is out of scope for the >> spec, but maybe there's agreement on some guidance? >> >> One thing one shouldn't do is serve a 302 here; it would allow defective >> clients to remain unpatched. >> >> My preference is to simply return a bare 403 or 404 here -- after all the >> endpoint does not exist (404) or if one uses the convention that resources at >> http/https are usually identical, then http is a non-authorized method to >> access the resource (403). >> >> Thoughts? >> >> -- >> Breno de Medeiros >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
